firecrawl-research-patterns

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly scrapes and ingests public, user/third‑party web content via the self-hosted Firecrawl endpoints (/v1/search and /v1/scrape) and the 3003/3004 wrappers (e.g., arxiv.org, api.semanticscholar.org, author blogs, IEEE/ACM sites) as described in SKILL.md and the API reference, and then the agent reads and uses that scraped markdown to generate follow-up queries, recurse, and drive actions—exposing it to untrusted third‑party content that could contain indirect prompt injections.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill issues runtime fetches to the self-hosted Firecrawl endpoints (e.g., http://172.25.236.1:3002 and the wrapper at http://172.25.236.1:3003) and injects the returned raw markdown into the agent/LLM processing pipeline (corpus persistence and prompt context), meaning remote content fetched at runtime directly controls the agent's inputs and behavior.